Security

What DNS data says about IoT devices in your home

What are all those IoT devices in your home actually doing on your home network? We ran a little test to find out, and found some interesting info.

Last updated: September 15, 2025

An avatar of the author
BlueCat
Cutaway house diagram showing multiple connected IoT devices linked in a home network representing DNS data traffic
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

BlueCat tested home IoT device behavior by placing a DNS Edge service point as the first hop on an engineer’s home network to capture 24-hour DNS logs from a Samsung Smart TV, Google Home, and Pioneer receiver. The analysis showed highly predictable DNS patterns—devices mostly query a small, expected set of domains for updates, streaming/CDN balancing (notably Netflix), and continuous Google service lookups—making anomalous queries easy to detect and indicating DNS security’s value for breach detection and mitigation. The study also highlighted deliberate security checks (Pioneer’s NXDOMAIN probe to detect DNS hijacking) and explained how DNS Edge can enforce policies at the first hop to block or redirect malicious or out-of-pattern queries in real time.

What did BlueCat’s home network test measure and why is it relevant to DNS security?

The test measured DNS query logs captured at a BlueCat DNS Edge service point placed as the first hop on a home network, recording 24 hours of traffic from a Samsung Smart TV, Google Home, and Pioneer receiver. This is relevant to DNS security because DNS traffic from IoT devices proved highly predictable and largely limited to a few expected domains; such predictability makes anomalous domain queries a strong indicator of compromise. Capturing queries at the first hop also enables immediate policy enforcement—blocking or redirecting malicious requests—so visibility and the ability to act quickly together improve breach detection and mitigation.

What unusual behavior did the Pioneer receiver exhibit and what does it indicate?

The Pioneer receiver produced about 16% NXDOMAIN responses because every ten minutes it queried a deliberately non-existent domain (channel.status.request.url). This is a defensive mechanism: if that non-existent domain ever resolves, it would indicate DNS hijacking or manipulation of DNS responses. Such deliberate checks are similar to protections used in applications like Google Chrome, and their presence on embedded devices demonstrates proactive measures to detect DNS-based tampering. If that test domain started resolving, it would signal a serious security issue requiring immediate attention.

How did Netflix and Google traffic patterns differ across the tested devices and what operational impacts were observed?

Netflix generated a significant share of DNS queries from the Smart TV, continuously polling content delivery network servers to balance downloads across sources and maximize streaming uptime; this activity helps explain Netflix’s large contribution to global internet traffic. In contrast, Google Home sent DNS queries continuously around the clock—about 95% to various Google services—with the remaining queries supporting features like recipes, trivia, and Spotify. Operationally, Netflix queries ceased when the TV was off, while the always-on Google Home produced steady background DNS activity, illustrating how device purpose drives constant versus intermittent query patterns and how those patterns can inform monitoring and policy decisions.

The number of connected devices per person nearly doubled over the last five years.  Every person on earth is now outnumbered by an estimated 6.58 devices.

Ever wonder what all those connected thermostats, TVs, refrigerators, and virtual assistants are actually doing on your home network?

We decided to run a little test and find out.

The test

Using BlueCat’s DNS Edge security platform, one of our engineers set up a service point on his home network.  Once this service point became the “first hop” of any DNS query, it was able to capture comprehensive logs for all internal and external traffic on the network.

We took logs of three connected devices – a Samsung Smart TV, a Google Home virtual assistant, and a Pioneer receiver – from a 24 hour period.  Then we analyzed the traffic to find out exactly what all of these devices and their associated apps were up to.

The results

Home network devices are very predictable.  We found that for the most part, connected devices only query a handful of domains.  It appears that most of those queries are pings for new updates or firmware downloads.  There are a few cloud-based services like Plex (a media application service) which merit a query now and then.  But overall, the devices were mostly reaching out to the exact domains you’d expect.

The DNS query success rate is extremely high…  We found that 100% of the DNS queries from the TV and the Google Home device resolved as expected.  This high success rate, when combined with the predictable usage patterns, make it very easy to spot a compromised device.  If we were seeing any domains aside from the usual suspects, it would have been cause for concern.  Thankfully, we didn’t.

…Except when it purposely isn’t.  Unlike the other devices we tested, around 16% of the DNS queries from the Pioneer receiver returned an NXDOMAIN response.  Digging into the data, we discovered that this was on purpose.  Every ten minutes, the device would attempt to connect with channel.status.request.url – a non-existent domain.  If that ever resolved, it would be an indicator of DNS hijacking.  This is a common security measure for apps like Google Chrome.  It was interesting to see this kind of protection used in a device as well.

Netflix is extremely chatty.  Netflix accounted for a significant number of DNS queries on the connected TV.  It was constantly polling content delivery network servers, balancing downloads against different sources to ensure maximum uptime of streamed content.  With all these queries, it’s no wonder that Netflix accounts for around fifteen percent of global internet traffic.

Google never stops talking.  Netflix queries dropped to zero at night, when the smart TV wasn’t on.  The Google Home device, however, sends DNS queries 24/7/365.  Almost all of those queries (around 95%) were to various Google services.  The remainder were from various sites used to gather information for recipes, trivia answers, Spotify, etc.

What we learned

In the end, the data show that devices on a home network behave a lot like devices on a corporate network.  If you compared the information we collected from a typical home-based IoT device against data from over five billion DNS queries on BlueCat-managed corporate networks, the modus operandi of most single-use devices would be very similar.

The predictability of DNS traffic from IoT devices shows just how valuable DNS security can be in detecting and mitigating a breach.  If the smart TV suddenly queries a domain outside of the standard handful of usual suspects, you should unplug it immediately.  If your Pioneer receiver starts resolving 100% of its queries – including those against the deliberately false one – you have a security problem.

Visibility into those malicious DNS queries is only half the equation.  You have to be able to act on threat information quickly.  If a service point is there on the first hop of an IoT device’s DNS query, you have the power to stop it.  That’s exactly what BlueCat does with its DNS security platform, DNS Edge – it applies security policies to every query, blocking or redirecting queries which sit outside the realm of normal patterns.

Want to learn more?  Here’s a quick primer on how BlueCat’s service points make us different.

Published in:

Security

Published on: February 21, 2020

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

BlueCat and Cisco graphic stating “Get DDI data from BlueCat in Cisco Cloud Control” for AI-driven network operations
Blog

BlueCat DDI data boosts Cisco Cloud Control AI-driven operations

BlueCat’s integration with Cisco Cloud Control provides AI agents with access to trusted DDI data for network investigation and remediation.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more